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Warfighters must keep their eye on the metrics 
to manage and secure military networks. 


By Paul A. Strassmann 


’ etwork systems are similar to icebergs. Less 
than 10 percent of their volume is visible 
to the user of an application. Almost all of 
the hidden code, measured in hundreds of 
_ thousands of lines of logic, is invisible in the 

“ operating system, in the database manage- 
ment software, in security safeguards and in communi- 
cation routines. The problem with such software is that 
for each application—and the U.S. Defense Department 
has more than 7,000 major software projects—contrac- 
tors will develop the hidden coding to suit separate 
requirements. 

Even the operating systems—some from the same 
vendor—will have sufficient variability so as not to be 
reusable. Contractors then will add special-purpose soft- 
ware routines from different vendors as custom “glue” 
to make the software code function. Contractors also 
will patch in custom code to make an application survive 
stringent testing requirements. 

Such results are hugely expensive and hard to main- 
tain. Applications developed separately will not share 
most of the common 90 percent of the code that remains 
submerged within the information infrastructure. Net- 
work systems will not be interoperable, except through 
additions of software connections that increase the costs, 
reduce performance and increase malfunction risks. 

To deal with the software iceberg, the approach to 
software design must be revised to create a shared infra- 
structure. This communal infrastructure would enable the 
Defense Department to concentrate on the less than 10 
percent of code that drives applications, rather than on the 
more than 90 percent that constitutes the software infra- 
structure. To achieve such a change calls for re-examining 
the organization of software. 

Every transaction involved in cyber operations ultimate- 
ly must communicate in the form of physical bits, such as 
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Os or Is. Every question launched must originate and then 
be returned from an application. 

For questions and answers to be converted into 
streams of physical bits calls for a seven-layered pro- 
cess, each controlled by standards, which define how the 
respective layers connect. These standards are described 
by an international standard, the Open Systems Intercon- 
nection (OSI) model. 

Bandwidth for the passing of physical bits between 
layers is defined as “return latency” and is calculated 
in microseconds, depending on priority and on differ- 
ent methods to complete a transaction. How the delays 
in information flows are achieved is then a matter of 
tradeoffs across each of the OSI layers. Custom-made or 
improvised OSI connections will increase costs and the 
latency of a system. 

For the Defense Department to migrate to high-per- 
formance cyber operations requires a design that allows 
for the sharing of at least three of the OSI layers for 
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physical, data, network and transport. These layers may 
account for as much as three-quarters of infrastructure 
code that is written for each stand-alone application. 

The OSI layers will be used to define capacity for 
cyber operations. The layers must function as a whole 
for the successful delivery of results. Except in cases 
that call for real-time—combat—responses, Defense 
Department components should field only applications 
using OSI layers that are shared as an enterprise infra- 
structure service. 

The physical OSI layer (Layer 1) defines the electrical 
and physical specifications for components from which 
networks are constructed. This includes cable specifica- 
tions, hubs, repeaters, network adapters, bus adapters 
and any devices that convey electronic signals. 

Measurements call for capacity mapping that 
describes every element of the physical layer, defined 
as to its location description and capacity. Continu- 
ous monitoring of capacity, at the circuit level, keeps 
track of the cyber operations, such as traffic rerouting 
or instant detection of unauthorized access. Configura- 
tion mapping displays all connections to and from every 
circuit. Configuration information is needed to track the 
progress of every transaction, such as the number of 
hops from every source to every destination. Configura- 
tion databases protected by security measures must list 
the logical connectivity between network components, 
including origin and termination points. Logical links 
are necessary to identify paths for process fallback and 
for recovery of failed processing. 

Calculations include identification of the conversions 
between digital data and any incompatible signals, such 
as analog, transmitted over communications channels. 
This is critical for tracking translations of legacy data. 

The datalink layer (Layer 2) provides the functional 
and procedural means to transfer the data between net- 
works and to detect and correct errors that may occur in 
the physical layer. 

Measurements require tracking of all local area net- 
work connections used for network capacity determi- 
nation, for network simplification or for identification 
of alternative paths for passing packets of data under 
condition of failure. Included is the tracking of all wide 
area network (WAN) connections used for network man- 
agement, including re-routing of traffic under failure 
conditions. A WAN registry identifies circuits used for 
diverting communications under peak-load conditions. 

The network layer (Layer 3) provides the functional and 
procedural means of transferring data from a source to a 
destination while maintaining a specified quality of service. 

Calculating this layer requires tracking all Internet 
protocol (IP) addresses on the entire network, includ- 
ing devices such as desktops, laptops, smart phones and 
radio-frequency identification devices. The registry of 
IP addresses is managed in real time and is the main 
indicator of the size of the network managed by cyber 
operations. Router IP addresses specify the number and 
location of routers such as their function, capabilities 
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and processing capabilities. Routers perform network 
functions such as re-assembly of packets and the report- 
ing of delivery errors. Routers send data throughout 
the extended network and make connections possible 
through the transfer control protocol (TCP)/IP protocol. 

The transport layer (Layer 4) provides transparent 
transfer of data between all points participating in the 
cyber operations. 

Calculations require the evaluation of transport 
uptime, which is the percentage of hours of scheduled 
connectivity, minus hours of unavailability, divided by 
hours of scheduled connectivity, calculated over a one- 
year period. The unavailability of every link is tracked 
and recorded in a number of redundant network opera- 
tions centers (NOCs). Individual downtime statistics 
cannot be averaged but must be displayed in terms of the 
number of IP addresses than cannot be served, such as 
any unavailability in excess of one minute. 

Measurements of the transport layer define comput- 
ing nodes as either redundant virtualized resources or as 
clustered resources. 

The session layer (Layer 5) controls the connections 
between computers. It establishes, manages and ter- 
minates the connections between the local and remote 
application. 

Calculations keep track of architectures, such as the 
service-oriented architecture (SOA), which is defined 
by the number of reusable components that are available 
for applications. The total number of reusable and certi- 
fied software components divided by the total number of 
components in use quantifies the pervasiveness of SOA 
services. Measures include network service statistics 
such as the number of legacy applications as related 
to the total number of applications. This evaluates the 
extent to which legacy applications have not been inte- 
grated into cyber operations. 

A second appraisal is the number of virtual servers 
with cached services. Cyber operations depend on vir- 
tual servers that deliver applications to the edge of net- 
works for low-latency processing. 

A third appraisal is the number of rie dictionary ser- 
vices. This describes the number of unique metadata and 
data dictionary services available from communities of 
interest (COIs). 

The presentation layer (Layer 6) is responsible for for- 
matting information for display. Syntactical differences 
in inputs to the presentation layer will be reconciled 
by means of dictionaries that trace differences in data 
representation to the point of original data entry. Assess- 
ments include network service statistics such as the 
number of applications that use encrypted coding. This 
assesses the extent to which applications are delivered in 
the approved encrypted formats. Another calculation is 
the number of applications that rely on data warehouses 
for support. This gauges the use of data dictionaries to 
ensure consistent syntax. 

Finally, a number of portals exist for unencrypted 
access to the public Internet. This provides a method for 
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bypassing cyber operations for access to public network 
services. The portal blocks transfer of transactions or 
files to and from Internet to cyber operations. 

The application layer is the OSI layer that is closest 
to the end user. The user interacts directly with applica- 
tions. This layer interacts with software that implements 
end-to-end communication. Governance rules may allow 
the use of locally managed databases provided they are 
not connected to cyber operations. 

Measurements include access milliseconds, counting 
from the send command to receipt of output in excess of 
defined delays. Latency is gauged in comparison to all 
active IP addresses and is not averaged but counted as 
the number of incidents. 

Cyber operations networks must have end-to-end vis- 
ibility, measurement and control of every keyboard asso- 
ciated with every IP address. This visibility should be 
present not only at the highly automated network control 
centers, but also as status displays offered for each local 
command. 

Cyber operations are not comparable to commercial 
systems such as those for Google, Wal-Mart or Bank 
of America. None of these systems are subjected to 
information warfare attacks. Defense Department cyber 
operations must be viewed as hav- 
ing a high-security design for the 
OSI layers in its infrastructure. The 
department’s designs must be based 
on parameters that far exceed what- 
ever may be acceptable in commer- 
cial systems. 

It may take 10 to 20 years for 
the Defense Department to change 
its current disjointed software to a 
shared infrastructure where the code 
residing in OSI layers will be cal- 
culated and shared. Budget realities 
will dictate that Defense Depart- 
ment components will have to exe- 
cute such transitions largely within 
existing budgets while the scale of 
demand for services will rise. This 
will require the automation of all 
network metrics in order to cut the 
operating and maintenance costs 
that currently dominate the depart- 
ment’s networks. 

As the costs of computing hard- 
ware shrink to less than 8 percent of 
total information technology spend- 
ing, the funding of network-centric 
systems will have to come from cost 
reductions in software. The cutbacks 
will become possible by departmen- 
tal sharing across applications and 
by decreases in operating personnel. 

The existing development, operat- 
ing and maintenance costs for the 
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Defense Department infrastructure are prohibitive. They 
absorb roughly a half of all information technology 
budgets. The acquisition of cyber operations must be 
driven by eliminating redundant systems and by sharing 
common OSI software layers. These performance mea- 
sures can be viewed as the direction for the department’s 
investment architecture in the years to come. 
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